summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2018-08-17 15:22:41 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-20 17:38:23 +0100
commite18f891394e7c6dc0917597f394b424d5e47642d (patch)
tree5b1e7cc48cf80c6dca1dee821618e5fc803c571d /meta
parentbd1e1aaf1dfbf00264ebad1ef603d7d3c38465db (diff)
downloadpoky-e18f891394e7c6dc0917597f394b424d5e47642d.tar.gz
libxml2: fix CVE-2018-9251 and CVE-2018-14567
(From OE-Core rev: b91b276696fb5e0b633b73be408bd750ac4e28ce) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch55
-rw-r--r--meta/recipes-core/libxml/libxml2_2.9.8.bb1
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch
new file mode 100644
index 0000000000..16c229574c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-Fix-infinite-loop-in-LZMA-decompression.patch
@@ -0,0 +1,55 @@
1From 28a9dc642ffd759df1e48be247a114f440a6c16e Mon Sep 17 00:00:00 2001
2From: Nick Wellnhofer <wellnhofer@aevum.de>
3Date: Mon, 30 Jul 2018 13:14:11 +0200
4Subject: [PATCH] Fix infinite loop in LZMA decompression
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Check the liblzma error code more thoroughly to avoid infinite loops.
10
11Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
12Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
13
14This is CVE-2018-9251 and CVE-2018-14567.
15
16Thanks to Dongliang Mu and Simon Wörner for the reports.
17
18CVE: CVE-2018-9251
19CVE: CVE-2018-14567
20Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74]
21Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
22---
23 xzlib.c | 9 +++++++++
24 1 file changed, 9 insertions(+)
25
26diff --git a/xzlib.c b/xzlib.c
27index a839169..0ba88cf 100644
28--- a/xzlib.c
29+++ b/xzlib.c
30@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
31 "internal error: inflate stream corrupt");
32 return -1;
33 }
34+ /*
35+ * FIXME: Remapping a couple of error codes and falling through
36+ * to the LZMA error handling looks fragile.
37+ */
38 if (ret == Z_MEM_ERROR)
39 ret = LZMA_MEM_ERROR;
40 if (ret == Z_DATA_ERROR)
41@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
42 xz_error(state, LZMA_PROG_ERROR, "compression error");
43 return -1;
44 }
45+ if ((state->how != GZIP) &&
46+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
47+ xz_error(state, ret, "lzma error");
48+ return -1;
49+ }
50 } while (strm->avail_out && ret != LZMA_STREAM_END);
51
52 /* update available output and crc check value */
53--
542.7.4
55
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index 4ebd2ef383..f01cb2cd34 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
22 file://fix-execution-of-ptests.patch \ 22 file://fix-execution-of-ptests.patch \
23 file://fix-CVE-2017-8872.patch \ 23 file://fix-CVE-2017-8872.patch \
24 file://fix-CVE-2018-14404.patch \ 24 file://fix-CVE-2018-14404.patch \
25 file://0001-Fix-infinite-loop-in-LZMA-decompression.patch \
25 " 26 "
26 27
27SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d" 28SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"